fcc5b7bca2
ACHIEVEMENT: Password recovery via email is now fully working! 🎉 Implemented a complete password recovery flow that: - Asks users for their email address - Sends a recovery link via Mailgun SMTP - Allows users to set a new password - Expires recovery links after 30 minutes Flow stages: 1. Identification stage - collects user email 2. Email stage - sends recovery link 3. Prompt stage - collects new password 4. User write stage - updates password Features: ✓ Email sent via Mailgun (noreply@mg.vrije.cloud) ✓ 30-minute token expiry for security ✓ Set as default recovery flow in brand ✓ Clean, user-friendly interface ✓ Password confirmation required Users can access recovery at: https://auth.dev.vrije.cloud/if/flow/default-recovery-flow/ Files added: - recovery-flow.yaml - Blueprint defining the complete flow - update-recovery-flow.yml - Deployment playbook 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
63 lines
2.1 KiB
YAML
63 lines
2.1 KiB
YAML
---
|
|
# Deploy password recovery flow with email notifications
|
|
- name: Deploy password recovery flow
|
|
hosts: all
|
|
gather_facts: no
|
|
become: yes
|
|
|
|
vars:
|
|
authentik_api_token: "ak_DtA2LG1Z9shl-tw9r0cs34B1G9l8Lpz76GxLf-4OBiUWbiHbAVJ04GYLcZ30"
|
|
client_domain: "dev.vrije.cloud"
|
|
|
|
tasks:
|
|
- name: Create blueprints directory
|
|
file:
|
|
path: /opt/config/authentik/blueprints
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Copy recovery flow blueprint
|
|
copy:
|
|
src: ../roles/authentik/files/recovery-flow.yaml
|
|
dest: /opt/config/authentik/blueprints/recovery-flow.yaml
|
|
mode: '0644'
|
|
register: blueprint_copied
|
|
|
|
- name: Copy blueprint into authentik-worker container
|
|
shell: |
|
|
docker cp /opt/config/authentik/blueprints/recovery-flow.yaml authentik-worker:/blueprints/recovery-flow.yaml
|
|
when: blueprint_copied.changed
|
|
|
|
- name: Copy blueprint into authentik-server container
|
|
shell: |
|
|
docker cp /opt/config/authentik/blueprints/recovery-flow.yaml authentik-server:/blueprints/recovery-flow.yaml
|
|
when: blueprint_copied.changed
|
|
|
|
- name: Restart authentik-worker to force blueprint discovery
|
|
shell: docker restart authentik-worker
|
|
when: blueprint_copied.changed
|
|
|
|
- name: Wait for blueprint to be applied
|
|
shell: |
|
|
sleep 30
|
|
docker exec authentik-server curl -sf -H 'Authorization: Bearer {{ authentik_api_token }}' \
|
|
'http://localhost:9000/api/v3/flows/instances/?slug=default-recovery-flow'
|
|
register: flow_check
|
|
retries: 6
|
|
delay: 10
|
|
until: flow_check.rc == 0
|
|
no_log: true
|
|
|
|
- name: Display success message
|
|
debug:
|
|
msg: |
|
|
✓ Password recovery flow deployed successfully!
|
|
|
|
Users can now reset their passwords by:
|
|
1. Going to https://auth.{{ client_domain }}/if/flow/default-recovery-flow/
|
|
2. Entering their email address
|
|
3. Receiving a recovery link via email
|
|
4. Clicking the link and setting a new password
|
|
|
|
The recovery link expires in 30 minutes.
|
|
Emails are sent via Mailgun SMTP (noreply@mg.vrije.cloud)
|